http://undeadly.org/cgi?action=article;sid=20200622052207
The WireGuard VPN protocol has been available on OpenBSD as a port for a while, first as the wireguard-go implementation in Go, but later also as the wiresep port in C, both using tun(4) devices, much like OpenVPN and others, which incurs a slight penalty for crossing the kernel/userspace border for each packet.
WireGuard is a layer3 tunnel that can be run in passive mode, only sending packets when something needs to reach the other side (unless you enable heartbeats). It only allows selected modern crypto algorithms and hashes, chosen to be performant on CPUs which lack crypto accelerators, while still being secure. WireGuard packets are sent over UDP, and can run over and transport both IPv4 and IPv6. It handles NAT/port redirects and endpoints changing IP addresses, which is very nice when changing from wired to wifi or vice versa.
(Score: 1, Interesting) by Anonymous Coward on Tuesday June 30 2020, @06:11PM
The example in the man page is basically what you need to do, but wg1 would be your local box, wg2 would be your VPN (so you'd get that information from your VPN provider). You wouldn't need to include the rdomain stuff unless you were using rdomains already.